Automate threat response with playbooks in Microsoft Sentinel
SOC analysts deal with numerous security alerts and incidents, and the sheer volume can overwhelm teams, leading to ignored alerts and uninvestigated incidents. Many alerts and incidents can be addressed by the same sets of predefined remediation actions, which can be automated to make the SOC more efficient and free up analysts for deeper investigations.
Use Microsoft Sentinel playbooks to run preconfigured sets of remediation actions to help automate and orchestrate your threat response. Run playbooks automatically, in response to specific alerts and incidents that trigger a configured automation rule, or manually and on-demand for a particular entity or alert.
For example, if an account and machine are compromised, a playbook can automatically isolate the machine from the network and block the account by the time the SOC team is notified of the incident.
Note
Because playbooks make use of Azure Logic Apps, additional charges may apply. Visit the Azure Logic Apps pricing page for more details.
Recommended use cases
The following table lists high-level use cases where we recommend using Microsoft Sentinel playbooks to automate your threat response:
| Use case | Description |
|---|---|
| Enrichment | Collect data and attach it to an incident to help your team make smarter decisions. |
| Bi-directional sync | Sync Microsoft Sentinel incidents with other ticketing systems. For example, create an automation rule for all incident creations, and attach a playbook that opens a ticket in ServiceNow. |
| Orchestration | Use the SOC team's chat platform to better control the incidents queue. For example, send a message to your security operations channel to make sure your security analysts are aware of the incident. |
| Response | Immediately respond to threats, with minimal human dependencies, such as when a compromised user or machine is indicated. Alternately, manually trigger a series of automated steps during an investigation or while hunting. |
Prerequisites
The following roles are required to use Azure Logic Apps to create and run playbooks in Microsoft Sentinel.
| Role | Description |
|---|---|
| Owner | Lets you grant access to playbooks in the resource group. |
| Microsoft Sentinel Contributor | Lets you attach a playbook to an analytics or automation rule. |
| Microsoft Sentinel Responder | Lets you access an incident in order to run a playbook manually, but doesn't allow you to run the playbook. |
| Microsoft Sentinel Playbook Operator | Lets you run a playbook manually. |
| Microsoft Sentinel Automation Contributor | Allows automation rules to run playbooks. This role isn't used for any other purpose. |
The following table describes required roles when you select Standard logic app to create your playbook:
| Logic app | Azure roles | Description |
|---|---|---|
| Standard | Logic Apps Standard Operator | Enable, resubmit, and disable workflows in a logic app. |
| Standard | Logic Apps Standard Developer | Create and edit logic apps. |
| Standard | Logic Apps Standard Contributor | Manage all aspects of a logic app. |
The Active playbooks tab on the Automation page displays all active playbooks available across any selected subscriptions. By default, a playbook can be used only within the subscription to which it belongs, unless you specifically grant Microsoft Sentinel permissions to the playbook's resource group.
Extra permissions required for Microsoft Sentinel to run playbooks
Microsoft Sentinel uses a service account to run playbooks on incidents, to add security and enable the automation rules API to support CI/CD use cases. This service account is used for incident-triggered playbooks, or when you run a playbook manually on a specific incident.
In addition to your own roles and permissions, this Microsoft Sentinel service account must have its own set of permissions on the resource group where the playbook resides, in the form of the Microsoft Sentinel Automation Contributor role. Once Microsoft Sentinel has this role, it can run any playbook in the relevant resource group, manually or from an automation rule.
To grant Microsoft Sentinel with the required permissions, you must have an Owner or User access administrator role. To run the playbooks, you'll also need the Logic App Contributor role on the resource group that contains the playbooks you want to run.
Playbook creation and usage workflow
Use the following workflow to create and run Microsoft Sentinel playbooks:
Define your automation scenario.
Create your playbook and build your logic app. For more information, see Create and manage Microsoft Sentinel playbooks.
Test your logic app by running it manually. For more information, see Run a playbook manually, on demand.
Configure your playbook to run automatically on a new alert or incident creation, or run it manually as needed for your processes. For more information, see Respond to threats with Microsoft Sentinel playbooks.